1.環境準備
[root@CentOS 7 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@CentOS 7 ~]# uname -r
3.10.0-327.el7.x86_64
[root@CentOS 7 ~]# getenforce
Disabled
[root@CentOS 7 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
[root@CentOS 7 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.201 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe40:1a4e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:4e txqueuelen 1000 (Ethernet)
RX packets 79743 bytes 65986287 (62.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 54690 bytes 70448334 (67.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.201 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:fe40:1a58 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:40:1a:58 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
TX packets 10 bytes 744 (744.0 B)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
TX packets 0 bytes 0 (0.0 B)
2.檢視SSH端口
[root@CentOS 7 ~]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1518sshd
tcp6 0 0 :::22 :::* LISTEN 1518sshd
3.密鑰認證
3.1建立密鑰對
[root@CentOS 7 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ----密鑰對儲存路徑
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): ----為密鑰對建立密碼
Enter same passphrase again: ----确認密碼
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7
The key's randomart image is:
+--[ RSA 2048]----+ ----加密的位數為20048
| .. ...|
| o .. ..+..|
| . o ..+ + |
| o + E* .|
| S o B.+o |
| + o |
| . . |
| |
+-----------------+
3.2分發公鑰
[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.
ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: ----第一次分發公鑰,需要輸入密碼
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
3.3測試
[root@CentOS 7 ~]# ssh 172.16.1.63
Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1
[root@gitlab ~]# ifconfig
inet 10.0.0.63 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:feae:fb74 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:74 txqueuelen 1000 (Ethernet)
RX packets 9568 bytes 2809779 (2.6 MiB)
TX packets 382 bytes 30216 (29.5 KiB)
inet 172.16.1.63 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:feae:fb7e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:fb:7e txqueuelen 1000 (Ethernet)
RX packets 87 bytes 18256 (17.8 KiB)
TX packets 88 bytes 21538 (21.0 KiB)
RX packets 66294 bytes 49504554 (47.2 MiB)
TX packets 66294 bytes 49504554 (47.2 MiB)
4.認證代理
4.1管理主機建立密鑰對(以上步驟)
4.2分發公鑰(以上步驟)
4.3管理主機啟動認證代理
[root@CentOS 7 ~]# eval `ssh-agent -s`
Agent pid 2994
4.4管理主機向agent代理伺服器注冊本地伺服器私鑰資訊
[root@CentOS 7 ~]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
4.5管理主機将憑證資訊通過遠端登陸方式給被代理主機
[root@CentOS 7 ~]# ssh -A 172.16.1.63
Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21
4.6測試
[root@gitlab ~]# ssh 172.16.1.21
Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63
5.自動建立密鑰對,分發公鑰(Shell腳本)
#!/bin/bash
##############################################################
# File Name: ssh_fenfa.sh
# Version: V7.4
# Author: feng yu
# Organization: http://blog.51cto.com/13520761
# Created Time : 2018-03-30 20:13:36
# Description:
fil=/root/.ssh/id_rsa*
if [ $(ls $fil|wc -l) > 0 ];then
rm -rf $fil
ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1
else
fi
if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then
yum install -y sshpass &>/dev/null
for ip in 21 63
do